Cross-frame scripting in Unified Communications Manager (CallManager) - CVE-2018-0355
Published: June 7, 2018
Vulnerability identifier: #VU13205
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0355
CWE-ID: CWE-59
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Unified Communications Manager (CallManager)
Unified Communications Manager (CallManager)
Detailed vulnerability description
The vulnerability allows a remote attacker to execute a cross-frame scripting (XFS) attack.
The weakness exists in the web UI of Cisco Unified Communications Manager (Unified CM) due to insufficient protections for HTML inline frames (iframes) by the web UI. A remote attacker can trick the victim into visiting a specially crafted website, conduct XFS-attack and conduct click-jacking or other client-side browser attacks on the affected system.
The weakness exists in the web UI of Cisco Unified Communications Manager (Unified CM) due to insufficient protections for HTML inline frames (iframes) by the web UI. A remote attacker can trick the victim into visiting a specially crafted website, conduct XFS-attack and conduct click-jacking or other client-side browser attacks on the affected system.
How to mitigate CVE-2018-0355
Update to versions 11.5(1.15900.8), 12.5(0.98000.666), 12.5(0.98000.667)